CVSS: 7.1EPSS: 2%CPEs: 88EXPL: 0CVE-2009-0652 – firefox: does not properly prevent the literal rendering of homoglyph characters in IDN domain names (spoof URLs and conduct phishing attacks)
https://notcve.org/view.php?id=CVE-2009-0652
20 Feb 2009 — The Internationalized Domain Names (IDN) blacklist in Mozilla Firefox 3.0.6 and other versions before 3.0.9; Thunderbird before 2.0.0.21; and SeaMonkey before 1.1.15 does not include box-drawing characters, which allows remote attackers to spoof URLs and conduct phishing attacks, as demonstrated by homoglyphs of the / (slash) and ? (question mark) characters in a subdomain of a .cn domain name, a different vulnerability than CVE-2005-0233. NOTE: some third parties claim that 3.0.6 is not affected, but much ... • http://lists.immunitysec.com/pipermail/dailydave/2009-February/005556.html •
CVSS: 10.0EPSS: 74%CPEs: 70EXPL: 0CVE-2009-0352 – Firefox layout crashes with evidence of memory corruption
https://notcve.org/view.php?id=CVE-2009-0352
04 Feb 2009 — Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.6, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the layout engine and destruction of arbitrary layout objects by the nsViewManager::Composite function. Múltiples vulnerabilidades no especificadas en Mozilla Firefox 3.x antes de 3.0.6, Thunderbird antes de 2.0.0.21, y SeaMonkey... • http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00001.html • CWE-399: Resource Management Errors •
CVSS: 10.0EPSS: 71%CPEs: 70EXPL: 0CVE-2009-0353 – Firefox javascript crashes with evidence of memory corruption
https://notcve.org/view.php?id=CVE-2009-0353
04 Feb 2009 — Unspecified vulnerability in Mozilla Firefox 3.x before 3.0.6, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the JavaScript engine. Vulnerabilidad sin especificar en Mozilla Firefox v3.x anterior a v3.0.6, Thunderbird anterior a v2.0.0.21, y SeaMonkey anterior a v1.1.15 permite a atacantes remotos provocar una denegación de servicio (corrupción d... • http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00001.html • CWE-399: Resource Management Errors •
CVSS: 5.3EPSS: 0%CPEs: 98EXPL: 0CVE-2009-0357 – Firefox XMLHttpRequest allows reading HTTPOnly cookies
https://notcve.org/view.php?id=CVE-2009-0357
04 Feb 2009 — Mozilla Firefox before 3.0.6 and SeaMonkey before 1.1.15 do not properly restrict access from web pages to the (1) Set-Cookie and (2) Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism. Mozilla Firefox anterior a v3.06 y SeaMonkey anterior a v1.1.15 no restringe adecuadamente el acceso desde las páginas web a las cabeceras de respuesta HTTP (1) Set-Cookie y (2) Set-Cookie2, lo qu... • http://ha.ckers.org/blog/20070511/bluehat-errata • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.2EPSS: 0%CPEs: 58EXPL: 0CVE-2008-5913 – mozilla: in-session phishing attack
https://notcve.org/view.php?id=CVE-2008-5913
20 Jan 2009 — The Math.random function in the JavaScript implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, uses a random number generator that is seeded only once per browser session, which makes it easier for remote attackers to track a user, or trick a user into acting upon a spoofed pop-up message, by calculating the seed value, related to a "temporary footprint" and an "in-session phishing attack." La función Math.random en la implementación de JavaScript en Moz... • http://arstechnica.com/news.ars/post/20090113-new-method-of-phishmongering-could-fool-experienced-users.html •
CVSS: 6.1EPSS: 2%CPEs: 10EXPL: 0CVE-2008-5511 – Firefox XSS via XBL bindings to unloaded document
https://notcve.org/view.php?id=CVE-2008-5511
17 Dec 2008 — Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy and conduct cross-site scripting (XSS) attacks via an XBL binding to an "unloaded document." Mozilla Firefox 3.x antes de v3.0.5 y 2.x antes de v2.0.0.19, Thunderbird 2.x antes 2.0.0.19 y SeaMonkey 1.x antes de v1.1.14 permite a atacantes remotos evitar la política de mismo origen y llevar a cabo ataques de secuencias de comandos ... • http://secunia.com/advisories/33184 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 4%CPEs: 54EXPL: 0CVE-2008-5503 – Firefox 2 Information stealing via loadBindingDocument
https://notcve.org/view.php?id=CVE-2008-5503
17 Dec 2008 — The loadBindingDocument function in Mozilla Firefox 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 does not perform any security checks related to the same-domain policy, which allows remote attackers to read or access data from other domains via crafted XBL bindings. La función loadBindingDocument en Mozilla Firefox 2.x antes de v2.0.0.19, Thunderbird 2.x antes de v2.0.0.19 y SeaMonkey 1.x antes de v1.1.14 no realiza ninguna comprobación de seguridad relacionada con l... • http://secunia.com/advisories/33184 •
CVSS: 6.8EPSS: 1%CPEs: 10EXPL: 0CVE-2008-5506 – Firefox XMLHttpRequest 302 response disclosure
https://notcve.org/view.php?id=CVE-2008-5506
17 Dec 2008 — Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy by causing the browser to issue an XMLHttpRequest to an attacker-controlled resource that uses a 302 redirect to a resource in a different domain, then reading content from the response, aka "response disclosure." Mozilla Firefox 3.x versiones anteriores a v3.0.5 y 2.x versiones anteriores a v2.0.0.19, Thunderbird 2.x versiones an... • http://secunia.com/advisories/33184 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 4%CPEs: 5EXPL: 0CVE-2008-5502 – JavaScript engine crash - Firefox 3 only
https://notcve.org/view.php?id=CVE-2008-5502
17 Dec 2008 — The layout engine in Mozilla Firefox 3.x before 3.0.5, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to cause a denial of service (crash) via vectors that trigger memory corruption, related to the GetXMLEntity and FastAppendChar functions. El motor de diseño en Mozilla Firefox 3.x antes de v3.0.5, Thunderbird 2.x antes de v2.0.0.19 y SeaMonkey 1.x antes de v1.1.14 permite a atacantes remotos provocar una denegación de servicio (caída) mediante vectores que disparan... • http://secunia.com/advisories/33188 • CWE-399: Resource Management Errors •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 0CVE-2008-5507 – Firefox Cross-domain data theft via script redirect error message
https://notcve.org/view.php?id=CVE-2008-5507
17 Dec 2008 — Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allow remote attackers to bypass the same origin policy and access portions of data from another domain via a JavaScript URL that redirects to the target resource, which generates an error if the target data does not have JavaScript syntax, which can be accessed using the window.onerror DOM API. Mozilla Firefox 3.x versiones anteriores a v3.0.5 y 2.x versiones anteriores a v2.0.0.19, Th... • http://scary.beasts.org/security/CESA-2008-011.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •